technology

Meitu – Viral Anime Chinese Selfie App Is A Privacy Nightmare

Meitu is becoming an increasingly popular app that alters your selfie into a charming anime character. However, when installing, besides giving you an absurd makeover, it requests access to almost all data on your Android or iOS smartphone.

Over the last few years, there have been numerous cases and discussions if apps should have to access to a variety of data and functions on a smartphone, usually justifying that in order to deliver proper service to clients. Not many app developers, especially big ones, were ready to reply responsibly and ask for the fewest number of “permissions” so they don’t have access to anything they don’t absolutely need.

In the case of Meitu, having access to your camera is natural, but the problem appears when it asks for your GPS location, cell carrier information, Wi-Fi connection data, SIM card information, jailbreak status, and personal identifiers that could be used to track you and your device across the web. When it comes to mind that relatively unknown, a Chinese company is doing that, it sure raises some issues about your privacy.

One of the possible explanations is that Meitu included pre-built analytics and ad-tracking packages, so they can show relevant ads and improve the app according to user’s behavior. Of course, this company is far from being the only one doing so (remember Pokemon Go?), and the best way to keep yourself safe is to read the permission request list when you are browsing through Google Play. If you can’t figure out the business model, the app could well be collecting and selling some of your personal information to advertising services looking to dole out more and more effective ads.

“I could spend days analyzing this code,” says iOS security researcher and forensics expert Jonathan Zdziarski, who gave the Meitu app a once-over. “It’s mostly par for the course junk. I didn’t see anything overtly evil, but that doesn’t mean there’s not something more serious in there. The thing [that’s noteworthy] is the number of different analytics and ad tracking packages they’ve loaded into the app. I counted at least half a dozen different packages in there. You don’t generally need that many unless you’re selling data.”

It’s no fun letting a meme pass you up because you’re worried about privacy, but it’s even worse to have your personal data taken for who knows what without you realizing it. Meitu may not be an outlier in the world of adware-bundled apps, but its popularity provides a useful teachable moment. Like a fantastical anime makeover, free apps often look snazzier on the surface than what’s hiding underneath.